User Sets Arbitrary Data on Page, but Only they can View it?
Posted: Tue Apr 19, 2005 9:34 pm
I've often heard that JavaScript is a tool of evil, but I've never exactly known the full capabilities of it's evilness.
What I'd like to know is what damage a person could do if this happened:
We have a page, that accepts POST parameters, and then outputs them onto the page without cleaning them (it doesn't do anything else with them). That means that the user can put arbitrary data on the page, but no one else can view it. Is this a security hazard? And if so, how would one exploit it?
What I'd like to know is what damage a person could do if this happened:
We have a page, that accepts POST parameters, and then outputs them onto the page without cleaning them (it doesn't do anything else with them). That means that the user can put arbitrary data on the page, but no one else can view it. Is this a security hazard? And if so, how would one exploit it?